#
# {{ '{{' }} ansible_managed }}
#


{{ '{%' }} if nginx_default_sites is defined and "{{ role_name }}" in nginx_default_sites {{ '%}' }}
  {{ '{%' }} set default_site = "default_server" {{ '%}' }}
{{ '{%' }} else {{ '%}' }}
  {{ '{%' }} set default_site = "" {{ '%}' }}
{{ '{%' }} endif {{ '%}' }}

upstream {{ role_name }}_app_server {
{{ '{%' }} for host in nginx_{{ role_name }}_gunicorn_hosts {{ '%}' }}
    server {{ '{{' }} host }}:{{ '{{' }} {{ role_name }}_gunicorn_port }} fail_timeout=0;
{{ '{%' }} endfor {{ '%}' }}
}

server {
  server_name {{ '{{' }} {{ role_name|upper }}_HOSTNAME }};

  {{ '{%' }} if NGINX_ENABLE_SSL {{ '%}' }}

  listen {{ '{{' }} {{ role_name|upper }}_NGINX_PORT }} {{ '{{' }} default_site }};
  listen {{ '{{' }} {{ role_name|upper }}_SSL_NGINX_PORT }} ssl;

  ssl_certificate /etc/ssl/certs/{{ '{{' }} NGINX_SSL_CERTIFICATE|basename }};
  ssl_certificate_key /etc/ssl/private/{{ '{{' }} NGINX_SSL_KEY|basename }};
  # request the browser to use SSL for all connections
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  {{ '{%' }} else {{ '%}' }}
  listen {{ '{{' }} {{ role_name|upper }}_NGINX_PORT }} {{ '{{' }} default_site }};
  {{ '{%' }} endif {{ '%}' }}

  location ~ ^/static/(?P<file>.*) {
    root {{ '{{' }} COMMON_DATA_DIR }}/{{ '{{' }} {{ role_name }}_service_name }};
    try_files /staticfiles/$file =404;
  }

  location / {
    try_files $uri @proxy_to_app;
  }

  {{ '{%' }} if NGINX_ROBOT_RULES|length > 0 {{ '%}' }}
  location /robots.txt {
      root {{ '{{' }} nginx_app_dir }};
      try_files $uri /robots.txt =404;
  }
  {{ '{%' }} endif {{ '%}' }}

  location @proxy_to_app {
    {{ '{%' }} if NGINX_SET_X_FORWARDED_HEADERS {{ '%}' }}
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-For $remote_addr;
    {{ '{%' }} else {{ '%}' }}
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
    proxy_set_header X-Forwarded-For $http_x_forwarded_for;
    {{ '{%' }} endif {{ '%}' }}
    proxy_set_header Host $http_host;

    proxy_redirect off;
    proxy_pass http://{{ role_name }}_app_server;
  }

# Prevent invalid display courseware in IE 10+ with high privacy settings
  add_header P3P {{ '{{' }} NGINX_P3P_MESSAGE {{ '}}' }}
  
  # Nginx does not support nested condition or or conditions so
  # there is an unfortunate mix of conditonals here.
  {{ '{%' }} if NGINX_REDIRECT_TO_HTTPS {{ '%}' }}
     {{ '{%' }} if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" {{ '%}' }}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }

     {{ '{%' }} elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" {{ '%}' }}

  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
     {{ '{%' }} endif {{ '%}' }}

  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  return 301 https://$host$request_uri;
  }
  {{ '{%' }} endif {{ '%}' }}
}
